Reforms to whistleblower protection laws pass Parliament

WHO SHOULD READ THIS

• All public and large proprietary companies.

THINGS YOU NEED TO KNOW

• The Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019 (Cth) received Royal Assent on 12 March 2019. It provides a single, strengthened whistleblower protection regime covering the corporate, financial and credit sectors.

WHAT YOU NEED TO DO

• Public and large propriety companies must ensure that they have a compliant whistleblower policy in place as soon as possible (no later than 1 January 2020 to avoid penalties) and provide additional training to ensure that potential eligible recipients of disclosures know how to identify a whistleblower report and what to do if or when they receive one.

Nearly half a decade after the Senate Economics References Committee recommended a review of Australia’s corporate whistleblower framework, reforms to Australian whistleblower protection laws have finally been passed.

The Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019 (Cth) (Whistleblower Bill) was initially introduced to Parliament on 7 December 2017 and was passed on 19 February 2019.  The Whistleblower Bill amends the Corporations Act 2001 (Cth), Taxation Administration Act 1953 (Cth), Banking Act 1959 (Cth) and Insurance Act 1973 (Cth) to provide a single, strengthened whistleblower protection regime covering the corporate, financial and credit sectors.

Expanded whistleblower protections

The Whistleblower Bill expands the existing whistleblower framework by:

• extending the range of people who are eligible to make protected disclosures to include not only former officers, employees and suppliers of the entity in question, but the family members of these people as well. Previously, eligible whistleblowers only included current officers, employees or suppliers of the entity under question;
• allowing the making of protected disclosures about a broader range of misconduct, including concerns about corporate corruption, bribery, fraud, money laundering and terrorist financing. Previously, disclosures were limited to breaches of the Corporations Act 2001 (Cth) or the Australian Securities and Investments Commission Act 2001 (Cth). It should be noted, however, that personal or professional work-related grievances are not within the scope of protected disclosures;
• changing the range of people who are eligible to receive protected disclosures to include officers or senior managers of the company, the company’s auditors, actuaries or another person authorised by the company, but removing the person’s managers or supervisors. This is intended to reduce the compliance burden on companies by having only a select group of employees who can receive disclosures. Companies should also be aware that disclosure to a lawyer for the purposes of obtaining legal advice will also be a protected disclosure;
• allowing anonymous disclosures;
• removing the ‘good faith’ requirement, so that it is sufficient that the whistleblower has objectively reasonable grounds to suspect misconduct or a contravention or an improper state of affairs or circumstances;
• allowing protected ’emergency’ or ‘public interest’ disclosures to be made to journalists or members of Parliament in extreme cases (excluding tax matters) in circumstances where at least 90 days have passed since an earlier protected disclosure has been made without reasonable steps having been taken to address the misconduct, or there will be substantial and imminent danger to someone’s health or safety;
• expanding the protections available to whistleblowers who suffer reprisals as a result of making a protected disclosure; and
• reversing the onus of proof when a person seeks compensation (after they have pointed to evidence that suggests there is a reasonable possibility that they have suffered detriment or have received a threat of detriment).

Whistleblower policies

The Whistleblower Bill also introduces a new requirement for all public companies and large proprietary companies to have a ‘compliant’ whistleblower policy in place.

A large proprietary company is a proprietary company which has at least two of the following characteristics:

• the consolidated revenue for the financial year of the company and any entities it controls is $25 million or more;
• the value of the consolidated gross assets at the end of the financial year of the company and any entities it controls is $12.5 million or more; and
• the company and any entities it controls have 50 or more employees at the end of the financial year.

For a whistleblower policy to be ‘compliant’, it must contain the following information:

• the protections available to whistleblowers;
• the person/organisations to whom protected disclosures may be made, and how they can be made;
• how the company will support whistleblowers and protect them from detriment;
• how the company will investigate protected disclosures;
• how the company will ensure fair treatment of employees of the company who are mentioned in protected disclosures, or to whom such disclosures relate;
• how the policy is to be made available to officers and employees of the company; and
• any other matters prescribed by the regulations from time to time.

Timeframes for compliance

The amended laws will take effect from 1 July 2019 and will apply to disclosures made on or after commencement but may relate to conduct which occur or occurred before, at or after commencement.

Importantly, the compensation and remedies amendments will apply to disclosures made prior to the amendments taking effect provided that the disclosure was such that it would have been protected had the Whistleblower Bill been in force at the time.

The Whistleblower Bill provides companies with a six month transitional period from the commencement of the amended laws (i.e. by 1 January 2020) in which to put a whistleblower policy in place.  As a company may be liable for other breaches during this period, however, we recommend putting a compliant whistleblower policy in place as early as possible to allow adequate time for the integration of the policy into existing governance practices, as well as to minimise any risk of breaching the amended laws.

Significant penalties for breaches

The Whistleblower Bill also significantly increases civil and criminal penalties for breaches of the new whistleblower protection laws.

Companies who fail to have a compliant whistleblower policy may be subject to a civil penalty of 60 penalty units (currently $12,600).

Further, breaching the confidentiality of the identity of a whistleblower, or victimising (or threatening to victimise) a whistleblower may incur a maximum civil penalty (as a result of the Treasury Laws Amendment (Strengthening Corporate and Financial Sector Penalties) Bill 2018 (Cth) passed by Parliament on 18 February 2019) of:

for an individual, the greater of:

• 5,000 penalty units (currently $1.05 million); or
• three times the benefit derived or detriment avoided; and

for companies, the greater of:

• 50,000 penalty units (currently $5 million);
• three times the benefit derived or detriment avoided; or
• 10% of the body corporate’s annual turnover,
• up to 1 million penalty units (currently $210 million).

Breaching the confidentiality of the identity of a whistleblower or victimising (or threatening to victimise) a whistleblower may also incur significant criminal penalties.

Additional considerations for listed companies

As we have previously reported, the ASX Corporate Governance Council has now released the final version of the fourth edition Corporate Governance Principles and Recommendations which will take effect for listed companies as soon as 1 January 2020 (depending on  the company’s financial year).

Relevantly, the fourth edition includes a new recommendation (Recommendation 3.3) that a listed entity should:

• have and disclose a whistleblower policy; and
• ensure that the board or a committee of the board is informed of any material incidents reported under that policy.

What you need to do

Public and large propriety companies must ensure that they have a compliant whistleblower policy in place as soon as possible (no later than 1 January 2020 to avoid penalties). However, if the policy is not implemented properly it will not provide adequate protection.  Companies should also provide additional training and internal communications to ensure that potential eligible recipients of disclosures know how to identify a whistleblower report and what to do if or when they receive one.

On an individual level, company officers should also review their D&O insurance arrangements.

For further information on any of the issues raised in this alert please contact the below team. 

This publication covers legal and technical issues in a general way. It is not designed to express opinions on specific cases. It is intended for information purposes only and should not be regarded as legal advice. Further advice should be obtained before taking action on any issue dealt with in this publication.